Three people in Louisiana recently pled guilty to federal bank larceny charges following an identity theft scheme that resulted from the unauthorized release of protected health information (PHI) by an employee at a medical clinic. We all have heard about the fines assessed against covered entities and business associates who have violated HIPAA standards and been caught.
Many may not realize that the HIPAA law also contains criminal penalties that can come into play in certain situations. We will address what constitutes a criminal violation of HIPAA, who can be charged, and what the possible criminal penalties for a HIPAA violation are.
HIPAA Violations: Civil vs. Criminal?
The primary focus of HIPAA’s Rules and Regulations is maintaining the privacy and security of each patient’s PHI. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcement of HIPAA, which can be done both through regular audits and investigations following a data breach.
If violations of HIPAA rules are discovered, OCR can then assess civil penalties, including fines and monitoring, depending on the severity of the violation and the organization’s awareness of the circumstances.
The decision to file criminal charges for HIPAA violations is within the purview of the Department of Justice and prosecuted by the U.S. Attorney’s Office. The law provides a very clear basis to justify criminal charges. In U.S. Code 42, Section; 1320d-6, the offense is defined as a “person who knowingly:
- Uses or causes to be used a unique health identifier;
- Obtains individually identifiable health information relating to an individual; or
- Discloses individually identifiable health information to another person.”
The word “knowingly” in the statute is important as well. Based on charging guidance from the U.S. Attorney’s Office of Legal Counsel, the term simply means that the facts of the violation are known. The lack of awareness that the violation is a crime should not be considered a defense. Unless the disclosure meets one of the exceptions allowed by the HIPAA Privacy Rule, there could be serious consequences.
Criminal Penalties for HIPAA Violations: Who Can be Charged?
For the purpose of charging, federal prosecutors have defined “person” as an individual or an organization. In general, criminal charges are reserved for especially flagrant violations of the law or violations that were part of a larger conspiracy.
One example of this is the case of Landon Eckles, 30, of Huntersville, N.C. The former district manager of pharmaceutical company Warner Chilcott pleaded guilty to wrongful disclosure of identifiable health information in violation of the criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA). He received one year of probation and was fined $10,000.
His actions were part of a wider scheme by Warner Chilcott to illegally promote drugs by providing kickbacks to doctors and illegally accessing PHI to provide false, inaccurate, or misleading prior authorization requests to federal health care programs for two of their drugs. As part of a plea agreement, the company agreed to pay $125 million to resolve criminal and civil liability.
HIPAA Criminal Penalties: How Much and How Long?
Much like the civil penalties, criminal penalties for violating HIPAA rules are tiered based on the severity of the offense. Going back to the law, “A person described shall—
- be fined not more than $50,000, imprisoned not more than 1 year, or both;
- if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
- if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”
Many criminal cases involving HIPAA violations are not charged as such. In the case from Louisiana mentioned earlier, the three individuals involved pled guilty to bank larceny charges and were sentenced for that crime.
Federal prosecutors are free to use their discretion in these matters. The crimes resulting from a HIPAA violation can be charged in either federal or state court, and the penalties vary by jurisdiction.
The takeaway is that the consequences of a HIPAA violation are not something that only affects medical practices or business associates. The individuals responsible may face personal penalties for their actions as well.